Announcement: Get Ready for macOS Mojave


With features like Dark Mode, Stacks, and four new built-in apps, macOS Mojave helps you get more out of every click. Prepare for macOS Mojave > https://support.apple.com/macos/mojave

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: Is the stealth mode of the macOS firewall good enough ?

Hello everyone,


I would like get your input on whether or not the stealth mode of the macOS firewall is enough to stay totally invisible on public networks (airports, cafés etc) but also at home against potential network-savvy malware that other, less "locked down", devices could catch.


In order words are there counter measures for hackers and malware/worm/virus etc coders to still detect me while on stealth mode with my Mac.


Thanks a lot !

MacBook Pro (13-inch Late 2011), macOS Sierra (10.12.2)

Posted on

Reply
Question marked as Helpful

Feb 16, 2017 7:09 PM in response to smashr In response to smashr

The application firewall has specific purposes, and its ability to prevent unauthorized intrusion is limited. Please read macOS Sierra: Firewall pane of Security & Privacy System Preferences. Refer to "Enable stealth mode" to determine its purpose. There is nothing more to it than that.


The purpose of the macOS application firewall is frequently misunderstood. Not surprising, since it is woefully misnamed. There is no fire and there is no wall.


You should explain exactly what it is you want to accomplish. If you are sending unencrypted traffic over an open network then everything can be intercepted, "firewall" notwithstanding.

Question marked as Helpful

Feb 16, 2017 7:19 PM in response to smashr In response to smashr

At home you are most likely behind a home router, so the Internet cannot see your Mac. Only the other devices in your home.


At a public WiFi they are generally behind a router as well, so it will ONLY be the other people sharing the router. And I've found that for a lot of those, they actually isolate each connection from the other (but that will not be 100%). That is to say, when I've tried to sniff for other users, I've only seen myself, even though there are others using their devices.


My point is that it is not going to be the entire Internet you are protecting yourself from with Stealth mode.


The only way your Mac would be visible is if you do NOT use a home router and connect your Mac directly to your Internet Service Provider's network connection (no router, and the ISP does not provide a router).


And totally invisible is impossible, as once you make a connection you are telling the other party where you are.


If and ONLY IF the public WiFi is NOT isolating each customer, other users would be able to sniff your traffic and see that you are there. No need to send a probe to a random IP address and hope it responds to detect if you are at that IP address, they can just read your network packets and see your IP address. Then they can target well known ports to see if you have them open. And then once they know what ports you have open, they can try to break in by guessing the necessary access codes (username/passwords, etc...).


NOTE: guessing your username and password is not trivial, especially if you use a good password, and your username is not 'root'.


If you are worried about public WiFi access, then use a VPN service and have all your network traffic go over an encrypted link to the VPN server and then it will be decrypted and put on the Internet. Hopefully no three letter agency is capturing the output from the VPN provider's servers as they enter the internet. Of course you could install a VPN server on a home system, and connect to that. Your VPN server at home would then decrypt your VPN traffic and put it on the internet just like you would if you are at home (NOTE: your surf'ing speed would be limited to the speed of your home ISP up-load speed, as you pull web pages in at home, encrypted them, and up-load them over the VPN to wherever your Mac is sitting on a public WiFi; home up-load speeds are often much slower than the download speeds).


The best counter measure on a Mac is that stuff between your ears. So far the biggest Mac threat is Adware and Phishing attacks. The Adware requires you to be tricked into downloading and installing it. The Phishing attacks, generally send an email, or have a web page pop-up that makes you think it is an official request for you to call the 1-800 number and get credit card, or access to information from you, or make you think you should login with your Apple ID, or PayPal account, etc... via the web link they provide. In other words, they get you do to give up the information.


You should read

How does Mac OS X protect me?

<http://www.thesafemac.com/mmg-builtin/>

There’s more to the conversation

Read all replies

Page content loaded

Question marked as Helpful

Feb 16, 2017 7:09 PM in response to smashr In response to smashr

The application firewall has specific purposes, and its ability to prevent unauthorized intrusion is limited. Please read macOS Sierra: Firewall pane of Security & Privacy System Preferences. Refer to "Enable stealth mode" to determine its purpose. There is nothing more to it than that.


The purpose of the macOS application firewall is frequently misunderstood. Not surprising, since it is woefully misnamed. There is no fire and there is no wall.


You should explain exactly what it is you want to accomplish. If you are sending unencrypted traffic over an open network then everything can be intercepted, "firewall" notwithstanding.

Feb 16, 2017 7:09 PM

Reply Helpful (2)

Feb 16, 2017 7:16 PM in response to John Galt In response to John Galt

Thanks for your input John !

To my understanding from the Sys pref pane, the stealth mode is supposed to keep safe from anything that would ping or scan the network, by not replying to requests etc.


Still a bit confused.


It's just that not all devices on my network are super safe as I can't spend time on all of time to make them MI-6 grade, so I just wanted to ensure my Mac at least stays shielded from network attacks on my network by malware or on public networks by hackers.


From your link:

Enable stealth mode

In Firewall Options, select to prevent your Mac from responding to probing requests that can be used to reveal its existence. The Mac still answers requests from authorized apps, but unauthorized requests such as ICMP (ping) get no response.

What are those "authorized apps" ? The ones of the App Store ?

Feb 16, 2017 7:16 PM

Reply Helpful
Question marked as Helpful

Feb 16, 2017 7:19 PM in response to smashr In response to smashr

At home you are most likely behind a home router, so the Internet cannot see your Mac. Only the other devices in your home.


At a public WiFi they are generally behind a router as well, so it will ONLY be the other people sharing the router. And I've found that for a lot of those, they actually isolate each connection from the other (but that will not be 100%). That is to say, when I've tried to sniff for other users, I've only seen myself, even though there are others using their devices.


My point is that it is not going to be the entire Internet you are protecting yourself from with Stealth mode.


The only way your Mac would be visible is if you do NOT use a home router and connect your Mac directly to your Internet Service Provider's network connection (no router, and the ISP does not provide a router).


And totally invisible is impossible, as once you make a connection you are telling the other party where you are.


If and ONLY IF the public WiFi is NOT isolating each customer, other users would be able to sniff your traffic and see that you are there. No need to send a probe to a random IP address and hope it responds to detect if you are at that IP address, they can just read your network packets and see your IP address. Then they can target well known ports to see if you have them open. And then once they know what ports you have open, they can try to break in by guessing the necessary access codes (username/passwords, etc...).


NOTE: guessing your username and password is not trivial, especially if you use a good password, and your username is not 'root'.


If you are worried about public WiFi access, then use a VPN service and have all your network traffic go over an encrypted link to the VPN server and then it will be decrypted and put on the Internet. Hopefully no three letter agency is capturing the output from the VPN provider's servers as they enter the internet. Of course you could install a VPN server on a home system, and connect to that. Your VPN server at home would then decrypt your VPN traffic and put it on the internet just like you would if you are at home (NOTE: your surf'ing speed would be limited to the speed of your home ISP up-load speed, as you pull web pages in at home, encrypted them, and up-load them over the VPN to wherever your Mac is sitting on a public WiFi; home up-load speeds are often much slower than the download speeds).


The best counter measure on a Mac is that stuff between your ears. So far the biggest Mac threat is Adware and Phishing attacks. The Adware requires you to be tricked into downloading and installing it. The Phishing attacks, generally send an email, or have a web page pop-up that makes you think it is an official request for you to call the 1-800 number and get credit card, or access to information from you, or make you think you should login with your Apple ID, or PayPal account, etc... via the web link they provide. In other words, they get you do to give up the information.


You should read

How does Mac OS X protect me?

<http://www.thesafemac.com/mmg-builtin/>

Feb 16, 2017 7:19 PM

Reply Helpful (1)

Feb 16, 2017 7:27 PM in response to BobHarris In response to BobHarris

Hi BobHarris, thanks a lot for your input as well.

I agree with you guys, it's just it seems I have a more naive vision of the whole thing unfortunately.

If I understand correctly from your explanations, locking down ports I don't use would be a great increase in security right ?

Do I have to do that on the Mac's firewall or on the router at home ? I guess on the Mac for public and router for internet ?


To be honest I'm more scared that my girlfriend's android phone gets a malware that then goes berserker on other devices on my home network or the same but from another computer with windows and less security for example.


Thanks for the link, I think John linked it to me in the past also xD !

However when I go to the Java linked in this article (link below), they explain how to deactivate Java and at the time I had tried that but then basically almost every website didn't work 😟

Feb 16, 2017 7:27 PM

Reply Helpful

Feb 16, 2017 7:34 PM in response to smashr In response to smashr

By default there are NO open ports.


System Preferences -> Sharing is where you open ports. So depending on what you enable, will be what ports are open.


Most require a username/password to get to anything useful (OK, printer sharing does not). Choose good passwords and it is unlikely anyone will break in. And if you enable Screen Sharing, DO NOT allow VNC viewers access, as that is an unencrypted connection that ONLY requires a password, and that password exchange is NOT encrypted either. Screen Sharing between Macs is fine, as it it is encrypted and requires a username/password pair.


Other sources of open incursion is from services that you install and have weak access. Especially if you setup an App that allows remote access, such as TeamViewer.com (a great utility), but need to know what you are doing if you are going to keep it running all the time. The point is, you should think about the things you install, and image what happens if it allows remote access what kind of damage could be done if you are not the one making the remote access, and how many hurtles are necessary to get access.


Again, that stuff between the ears is your best defense

Feb 16, 2017 7:34 PM

Reply Helpful

Feb 16, 2017 7:53 PM in response to smashr In response to smashr

A Mac on a network created by a router under your sole control (meaning, it is secured from unauthorized physical access, unauthorized wireless access, and its firmware cannot be maliciously altered by accessing a configuration web page) is as secure as can be made reasonably practicable. That describes most people's personal home networks (hopefully).


That was not your original question though, since you specifically asked about public, open wireless networks. The above precautions are absent in such circumstances.


The "Enable stealth mode" means the Mac will not respond to anonymous ping requests. That's OK, but not that impressive from a security standpoint. If you use your Mac in a public area, additional precautions become necessary, and the application firewall has its advantages in that case.


What are those "authorized apps" ? The ones of the App Store ?


Not necessarily. That describes apps you specifically added to the application firewall's preferences, so that they can communicate.

Securing your Mac from malware is only a peripherally related subject. Essentially all cases of malware intrusion are the result of ineffective or otherwise inappropriate defenses, and the user willfully installs such things. It seems to me that in many cases computer users demand to install such things, demonstrating a blatant disregard for safe computing practices if not common sense. For more on that subject please read Effective defenses against malware and other threats.

Feb 16, 2017 7:53 PM

Reply Helpful

Feb 16, 2017 7:59 PM in response to smashr In response to smashr

To be honest I'm more scared that my girlfriend's android phone gets a malware that then goes berserker on other devices on my home network or the same but from another computer with windows and less security for example.


Google's Android operating system is a hopeless Petri dish of malware, but the mere presence of an Android device on your network cannot affect your Mac.


Windows PCs require their own malware protection, as they are yet another subject.

Feb 16, 2017 7:59 PM

Reply Helpful

Feb 17, 2017 5:14 AM in response to John Galt In response to John Galt

"and its firmware cannot be maliciously altered by accessing a configuration web page)"


I heard about that option to deactivate but forgot the name, can you refresh my memory please ?

For the router unfortunately I have a very basic ISP-issued router that isn't even compatible with OpenWRT and stuff like that so I seem pretty limited, for ex after a lot of research it doesn't seem I can make a vlan with it :/


Thanks for your input about the firewall and public networks as well as your guide on "sound judgement".

However regarding this last one, of course sound judgement is the first thing to focus on, but I mean I once worked in an agency that used a whole Mac infrastructure with Mac servers for printers and everything, and the IT guys probably used a way to mitigate the damage between the computers if one got infected I supposed, sounds mandatory, I would just add a little layer like that on top of "sound judgment" because even if I also trust Apple a lot more than other companies, nothing 100% secure on its own in my opinion.


I'm also curious to know what makes you think an infected android phone couldn't affect the Mac, ok it's not the same code etc but I mean you can download packet sniffers on android phones if you want so to me that seems more dangerous if for ex a malware would sniff from the phone and then send it to their home server. Granted it's just a phone but it's still more powerful than a computer from 5-10 years ago.

Feb 17, 2017 5:14 AM

Reply Helpful

Feb 17, 2017 5:49 AM in response to smashr In response to smashr

I'm also curious to know what makes you think an infected android phone couldn't affect the Mac, ok it's not the same code etc but I mean you can download packet sniffers on android phones if you want so to me that seems more dangerous if for ex a malware would sniff from the phone and then send it to their home server. Granted it's just a phone but it's still more powerful than a computer from 5-10 years ago.

But what are they sniffing? Your surfing habits?


All your really important web connections (like your email, the ones involving money, even credit card based mail order buying, etc...) will be using an https (TLS/SSL; aka encrypted) connection to login and exchange that information, so the android would just see strongly encrypted bits.


I would not worry about an android device in your home. And if you are that worried, only date people that use iPhones 😍


Now if you use the same password for ALL your sites, then if you access a weakly secured site that does not use https connections, the android could capture that, and they guess at other sites you might use and try the same username (often your email address these days) and try to break in.


So it is important to use different passwords for all your sites. Not really because of an android phone in your home, but because companies get hacked, and then usernames and passwords become known. If you are using the same password everywhere, the hacked information can be used to probe other institutions to see if it works on those.


Use a password manager and different passwords for everything. My Wife and I use 1Password on our Macs and iPhones, but a lot of other people like LastPass. Both are well respected password managers. I've been using a password manager since 2000 and I got my first Palm PDA device. I wouldn't try to use the Internet without one.

Feb 17, 2017 5:49 AM

Reply Helpful

Feb 17, 2017 6:30 AM in response to smashr In response to smashr

Before you leave home with that MacBook Pro, visit System Preferences : Sharing, and uncheck all selected items. If you are sharing a folder from your MBP, and you are in a public Wi-Fi destination, then your shared folder will be advertised to other users within that wireless cloud. Simple, guessable password, and you may have invaders.


The other thing that I do is switch off Wi-Fi and Bluetooth on my iPhone before I leave the house. I kept wondering why my list of wireless access points kept growing in my Mac's Network list, and then it was clear that the iPhone was sniffing the public locations that I visited, and via iCloud, syncing that information back to my Mac. If you are not using wireless headphones, having Bluetooth on only drains the battery, and provides another attack vector.


The local university provides free CISCO Virtual Private Networking (VPN) — that has a different installation configuration for faculty, students, and alumni. It configures the built-in macOS IPSec for secure connections. When I power on the MacBook Air in a public Wi-Fi area, and before I do anything else — I start this VPN service. I also monitor its progress on my menu bar, as occasionally the connection will drop.

Feb 17, 2017 6:30 AM

Reply Helpful

Feb 17, 2017 11:46 AM in response to smashr In response to smashr

smashr wrote:


"and its firmware cannot be maliciously altered by accessing a configuration web page)"


I heard about that option to deactivate but forgot the name, can you refresh my memory please ?


The point is that router firmware is itself subject to exploits. Routers that use a web page for configuration are especially vulnerable. This is what I had in mind: http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vuln erability


Those vulnerabilities have been addressed, but new ones are almost certain to be discovered. They are likely to be addressed also... eventually... but it's up to the user to keep on top of that.


... nothing 100% secure on its own in my opinion.


Exactly, and if you bear that in mind you are less likely to be exploited. Just remember that depending on what you are considering, it is possible for the "additional layer of security" you seek to itself introduce vulnerabilities that would otherwise not exist. All effective security measures implement a multi-layered approach. While doing so, it's essential not to bore a hole though all your other defenses. That is just a general comment, but it is intended to address reliance upon any number of popular, non-Apple "anti-virus" or "Internet security" products. They don't help, and using them can only increase your threat profile.


BobHarris summarized your concerns regarding packet sniffers. In that regard there is no difference between using an Android phone or anything else. You should just be aware that personal information you share with people using Android devices may in turn become harvested due to the overwhelming amount of malware hosted on that platform. Since you can't control what devices people choose to use, you must control the information you choose to share with them. That essentially means anything do on the Internet.

Feb 17, 2017 11:46 AM

Reply Helpful

Feb 23, 2017 2:06 AM in response to BobHarris In response to BobHarris

Thanks everyone for your help and input !

Regarding the sniffing, indeed there is a lot of ssl connections nowadays but sometimes sites drop the functionality for your connection if there is a bug or something but still let you access the site.


BobHarris, you mentioned 1Password but why not use iCloud Keychain ? I personally don't like the idea to trust all my passwords to one company so if I do it I might as well do it with a top-2 NASDAQ public one like Apple and so if you anyway use Apple products, I'm curious as yo why you choose 1Password ?


Nice one about dating people using iPhones LOL ! xD


So in essence my Mac is inherently, out-of-the box already well protected by Apple against worm attacks and stuff like that on my network if a device gets compromised right ? Unless I use non-ssl connections.


@ VikingOSX : Regarding the VPN, interesting to see some universities provide this and thanks for your input too. I was actually thinking of doing what a friend has which is configure a raspberry pi to create my own VPN without going through a service (free or paid), it's apparently easy to do with OpenVPN. But for the moment my home connection is horribly slow (living in the country side !). So if you guys like VPNs and have a good connection, check it out !


However and because I'm not used yet to securing a Linux system like on the Raspberry, I was also wondering about the risks to the network if the Pi gets infected.


The best solution in my opinion would be to create a VLAN (Virtual LAN) for my Mac and a VLAN for the android phone, the Raspberry and any other devices coming in the house, however I have no clue on how to make that with a Mac or if it's a the router level, if you guys have any knowledge or info on that in regards to how to do with a Mac let me know !


Thanks again and have a nice day !

Feb 23, 2017 2:06 AM

Reply Helpful

Feb 23, 2017 6:12 AM in response to smashr In response to smashr

BobHarris, you mentioned 1Password but why not use iCloud Keychain ? I personally don't like the idea to trust all my passwords to one company so if I do it I might as well do it with a top-2 NASDAQ public one like Apple and so if you anyway use Apple products, I'm curious as yo why you choose 1Password ?

1Password is very well respected as a password manager. It is one of the more popular password managers for the Mac. It is also cross platform.


The other very well respected cross platform password manager for the Mac is LastPass.com. It has a different pricing model.


Some of my reasons, for using 1Password, are historical. I started using a password manager in 2000 on my Palm PDA device. A few years later, I switched to a different manager, and had to go though hoops to transfer all my passwords (only managed it because I'm a programmer and was able to write a program to convert the exported data to a format the other manager could import). I used the 2nd manager for years, but when I switched to an iPod Touch, I needed a new manager. I have lots of sensitive information stored in my password manager, besides passwords (personal medical information, credit cards, building access codes, security alarm codes, financial, and the hundreds of web site passwords I've accumulated). 1Passwods would import all my information from the previous password manager.


1Password at the time allowed keeping my encrypted password file in sync across my Macs and my iOS device(s) (Keychain now allows that via iCloud, but that is a more recent addition). 1Password integrated with Firefox, my preferred web browser with Command-Backslash to activate or an icon in the Firefox toolbar, and similar for Safari (1Password works with other browsers as well). I personally think 1Passwords user interface is more flexible and is more user friendly vs Keychain Access. I can browse my passwords on my iPhone, which I cannot do with Keychain, which is most useful when I'm out and about and need to lookup something stored in 1Password (such as the security system keypad access number at my Mom's house, or the lockbox code where a house key is kept for another relative).


By default Keychain is always unlocked while you are logged into your Mac. You can change that via Keychain Access, but then you find that you are being prompted for your password ALL THE TIME even for things you do not care about. 1Password also wants your password when you use it, but I can keep the "I'm not that worried about it" passwords in Keychain (WiFi access points, email password, and other apps that poll the web frequently), and everything else in 1Password. The iPhone version can use your finger print to unlock, and now the new Late 2016 Macbook Pro w/Touch Bar has a finger print reader as well, that 1Password works with (I really like it 🙂)


1Password has versions for non-Apple products.


Bottom line, as long as you are NOT using the same password for every web site, because it is easier to remember, then it does not matter how you manage them. Keychain is fine.

Feb 23, 2017 6:12 AM

Reply Helpful

Feb 23, 2017 2:08 PM in response to BobHarris In response to BobHarris

BobHarris wrote:


By default Keychain is always unlocked while you are logged into your Mac. You can change that via Keychain Access, but then you find that you are being prompted for your password ALL THE TIME even for things you do not care about.


Thanks for the details, indeed the iCloud Keychain kind of blocks you in the ecosystem I guess. Thanks for this information ! I'll consider 1Password for some other codes maybe I'll see.


Regarding the iCloud Keychain, indeed it's unlocked by default, I never what difference this made, does it mean the passwords are exposed if some kind of backdoor or virus targets that on my computer or they are encrypted anyway ?

Because the manager is unlocked by default but I still have to enter my computer password to unlock them.

Feb 23, 2017 2:08 PM

Reply Helpful
User profile for user: smashr

Question: Is the stealth mode of the macOS firewall good enough ?